<p>使用setAttribute（）方法时,它的value值，应可序列化。</p>

<h2>不规范代码样例</h2>
<pre>
public class Address {
  //...
}

//...
HttpSession session = request.getSession();
session.setAttribute("address", new Address());  // 不合规；Address没有可序列化
</pre>

<h2>更多</h2>
<ul>
  <li><a href="http://cwe.mitre.org/data/definitions/579.html">MITRE, CWE-579</a> - J2EE Bad Practices: Non-serializable Object Stored in Session</li>
</ul>
